0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3

General

Target

0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
Size

536KB
MD5

10a489b443ede90cc3748fd4cdfa5a0a
SHA1

24b02d71e7d9a970b43c2523bb7d094ea04fac89
SHA256

0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3
SHA512

e7060eaaa03fc07b26fc09f744dc5ffecdac558d527bcf8c575ed177e23bdf8eb7bec8985fe933e9e6a6342d37e3310fb1a19ca5545d61880e6e8db7d1fb1231
SSDEEP

12288:Xhf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:XdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1700-0-0x0000000000980000-0x0000000000A82000-memory.dmp	upx
behavioral1/memory/1700-42-0x0000000000980000-0x0000000000A82000-memory.dmp	upx
behavioral1/memory/1700-371-0x0000000000980000-0x0000000000A82000-memory.dmp	upx
behavioral1/memory/1700-446-0x0000000000980000-0x0000000000A82000-memory.dmp	upx
behavioral1/memory/1700-705-0x0000000000980000-0x0000000000A82000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\1d1ac8	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1700	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
1700	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
1700	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
1700	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
1700	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
1256	Explorer.EXE
1256	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
Token: SeTcbPrivilege	1700	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
Token: SeDebugPrivilege	1700	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
Token: SeDebugPrivilege	1256	Explorer.EXE
Token: SeTcbPrivilege	1256	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1256	1700	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe	6
PID 1700 wrote to memory of 1256	1700	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe	6
PID 1700 wrote to memory of 1256	1700	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe	6

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256
- C:\Users\Admin\AppData\Local\Temp\0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
  "C:\Users\Admin\AppData\Local\Temp\0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba5a454e67282e833539a41559b0dfec

SHA1
f12f4a39566bccca9787f038021d9542deeb9333

SHA256
4283fa067429a10efb69b5c5138b8ab5e7d6c63b4db12924744fc3448ac012ad

SHA512
1b7d19bc09874fb6e0ffa59c07b368d85ac1443017a3d715100995ea0280326034a14699caae1f5b7d2ae65c49d0938b80c70dabe182a894ea2518b34a650d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8DC1.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8DE3.tmp

Filesize
38KB

MD5
7b2d2c6c3b603166625892a758aaca3c

SHA1
4dd6c2f580f0a956175549e98d569263e75bc1c3

SHA256
8682eb18416f736ef23d1f8e5a2a76647fcbba631599f0f622f2285ad41f01e2

SHA512
9c8fe096de9934db3934f6aef3bfd53fa604d3d3316c9013121e3a68c0266b3eb4e6e6bfb48a87f01cea0f91a076a51de35c655a9c17c665732361de64431627

Download Submit
memory/1256-7-0x0000000002A10000-0x0000000002A13000-memory.dmp

Filesize
12KB

Download
memory/1256-6-0x0000000002B00000-0x0000000002B79000-memory.dmp

Filesize
484KB

Download
memory/1256-4-0x0000000002A10000-0x0000000002A13000-memory.dmp

Filesize
12KB

Download
memory/1256-152-0x0000000002B00000-0x0000000002B79000-memory.dmp

Filesize
484KB

Download
memory/1256-3-0x0000000002A10000-0x0000000002A13000-memory.dmp

Filesize
12KB

Download
memory/1700-0-0x0000000000980000-0x0000000000A82000-memory.dmp

Filesize
1.0MB

Download
memory/1700-42-0x0000000000980000-0x0000000000A82000-memory.dmp

Filesize
1.0MB

Download
memory/1700-371-0x0000000000980000-0x0000000000A82000-memory.dmp

Filesize
1.0MB

Download
memory/1700-446-0x0000000000980000-0x0000000000A82000-memory.dmp

Filesize
1.0MB

Download
memory/1700-705-0x0000000000980000-0x0000000000A82000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing